b' Office of Inspector General\n      Audit Report\n\n\nFISMA 2011: PERSISTENT WEAKNESSES\n IN DOT\'S CONTROLS CHALLENGE THE\n  PROTECTION AND SECURITY OF ITS\n       INFORMATION SYSTEMS\n        Department of Transportation\n\n         Report Number: FI-2012-007\n        Date Issued: November 14, 2011\n\x0c                       Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: FISMA 2011: Persistent Weaknesses in                                        Date:    November 14, 2011\n           DOT\'s Controls Challenge the Protection and\n           Security of its Information Systems\n           Department of Transportation\n           Report Number: FI-2012-007\n\n  From:    Calvin L. Scovel III                                                            Reply to\n                                                                                                        JA\xe2\x80\x9320\n                                                                                           Attn. of:\n           Inspector General\n\n    To:    Chief Information Officer\n\n           The Department of Transportation\'s (DOT) operations rely on more than 400\n           systems\xe2\x80\x94nearly two-thirds of which belong to the Federal Aviation\n           Administration (FAA). These systems represent an annual investment of\n           approximately $3 billion\xe2\x80\x94one of the largest information technology (IT)\n           investments among Federal civilian agencies. The Department\'s financial\n           systems manage and disburse approximately $90 billion in Federal funds\n           annually. During 2011 alone, computer hackers have placed a number of major\n           entities\' IT systems at risk, including those at the Central Intelligence Agency and\n           Google.\n\n           To protect the information systems that support Federal operations from cyber\n           threats, the Federal Information Security Management Act (FISMA) of 2002\n           requires agencies to develop, document, and implement agencywide information\n           security programs. FISMA also requires agency program officials, chief\n           information officers (CIO), and Inspectors General to conduct annual reviews of\n           their agencies\' information security programs and report the results to the Office\n           of Management and Budget (OMB). As part of this review, OMB requires\n           Inspectors General to use 127 security metrics to assess their agency\'s\n           performance.\n\n           Consistent with FISMA and OMB requirements, our overall audit objective was\n           to determine the effectiveness of DOT\xe2\x80\x99s information security program and\n           practices. Specifically, we assessed DOT\xe2\x80\x99s (1) information security policy and\n           procedures; (2) enterprise-level information security controls; 1 (3) system-level\n           1\n               For purposes of this report, enterprise-level controls are those controls that should be implemented Department-\n               wide\xe2\x80\x94security training, incident response and reporting, capital planning and investment control, and configuration\n               management\xe2\x80\x94and are generally not system-specific.\n\x0c                                                                                                                   2\n\n\nsecurity controls; and (4) management of information security weaknesses. As\nalso required by OMB, we provided our results to OMB via its Web portal. 2\n\nTo conduct our audit and address OMB\'s 127 metrics, we tested a statistical\nsample of 64 out of 445 systems, performed analytical reviews of data contained\nin the Department\xe2\x80\x99s Cyber Security Assessment and Management system\n(CSAM), tested user accounts in 19 general support systems, reviewed supporting\ndocumentation, and interviewed departmental officials. We conducted this audit\nbetween February and October 2011 in accordance with generally accepted\nGovernment auditing standards. Exhibit A details our scope and methodology.\n\n\nRESULTS IN BRIEF\nDespite improvements the Department made to its security controls over the past\nyear, its information security program does not meet Federal requirements and is\nstill not as effective as it should be. Furthermore, the Department has successfully\naddressed only 19 of the 25 recommendations that remained open since\nNovember 2009, and 6 of the 27 recommendations we made in our last FISMA\nreport, issued in November 2010. Following are details of our findings.\n\n1. The Office of the Chief Information Officer (OCIO) has not developed the\n   required procedural guidance to augment its high-level security policy in order\n   for Operating Administrations (OA) to manage information security\n   effectively. OCIO focused its efforts on revising its existing policy and\n   created a strong and flexible cybersecurity policy for the Department, except\n   for the Office of the Secretary of Transportation (OST). According to OCIO,\n   OST management had differing views on needed policy changes. Because\n   agreement was not reached, OST, which includes the Common Operating\n   Environment 3 (COE), is operating without a cybersecurity policy. These\n   weaknesses in OCIO\'s policy and procedures contribute to the other issues we\n   identified.\n\n2. The Department has not made sufficient progress to implement enterprise-\n   level controls. While the Cyber Security Management Center (CSMC)\n   implemented controls that enabled it to confirm that it reported all major\n   security incidents that it received to the Department of Homeland Security\n   (DHS), other weaknesses persist. For example, DOT is still unable to\n   effectively track how many contractors it has on board or manage security\n   baseline configurations for all of its systems. Although more OAs have tools\n\n\n2\n    OMB has designated this information as \xe2\x80\x9cFor Official Use Only.\xe2\x80\x9d Consequently, our submission to OMB is not\n     contained in this report.\n3\n    COE provides network infrastructure support to DOT\'s Headquarters and remote offices, except FAA and Federal\n     Motor Carrier Safety Administration field sites.\n\x0c                                                                                                                       3\n\n\n       to assess compliance with Federal Desktop Core Configuration (FDCC) 4\n       requirements, which prescribe secure settings for Windows Experience (XP)\n       software, DOT\'s compliance has dramatically declined from 90 percent to 70\n       percent since our last review. Furthermore, the Department does not have any\n       controls that ensure information security is incorporated in its capital planning\n       and investment process.\n\n3. DOT has not established adequate controls to protect its systems or to recover\n   them in the event of a disruption. While the completeness of certification and\n   accreditation (C&A) documents has improved, significant weaknesses in the\n   C&A process remain. For example, we project that for 239 of its 445 5\n   systems, or 54 percent, the Department did not properly test the minimum\n   security controls required by the National Institute of Standards and\n   Technology (NIST). We also found than half of the systems in our sample had\n   missing or incomplete contingency plans for system recovery in case of\n   disruptions, and over 40 percent of critical systems did not have adequate\n   backup facilities or testing of their contingency plans. The Department also\n   lacked adequate controls over continuous monitoring of system security,\n   oversight of contractor-operated systems and their security, and remote access\n   and account management. For example, the Department does not use two-\n   factor authentication to secure remote access to its systems, and we identified\n   network accounts assigned to individuals no longer employed by DOT.\n\n4. DOT has not effectively identified, tracked, or prioritized information security\n   weaknesses in plans of action and milestones (POA&M) to efficiently resolve\n   these weaknesses. The Department tracked approximately 4,700 system\n   weaknesses but did not remediate over a third of them within approved\n   timeframes\xe2\x80\x94a slip in performance compared to last year.\n\nTogether, these weaknesses significantly increase the risk that systems will\nbecome victim to cyber attacks or disruptions that can compromise the integrity,\navailability, and confidentiality of data needed to fulfill DOT\'s missions.\n\nWe are making a series of recommendations to assist the Department in the\nestablishment and maintenance of an effective information security program\xe2\x80\x94\none that complies with FISMA, OMB, and NIST requirements. Exhibit C\nidentifies the recommendations from our two prior reports that the Department\nstill needs to resolve.\n\n\n\n4\n    FDCC are security configuration settings developed by the National Institute of Standards and Technology (NIST),\n     the Department of Defense, and the Department of Homeland Security (DHS) for certain Windows operating\n     systems, including XP. OMB has mandated agencies to adopt these settings.\n5\n    Our estimate is has a margin of error of +/- 9.1 percent, and 90 percent level of confidence.\n\x0c                                                                                           4\n\n\nBACKGROUND\nA secure global digital information and communications infrastructure is one of\nthe President\xe2\x80\x99s seven guiding principles in the protection of the American\npeople. 6 As the White House has reported, both the Federal Government and the\nprivate sector face cybersecurity threats, including terrorists and international\ncrime groups that target U.S. citizens, commerce, critical infrastructure, and the\nGovernment with attempts to compromise computer-based information.\nUndeterred, these individuals could undermine national security and degrade civil\nliberties.\n\nFISMA requires each Federal agency to develop, document, and implement an\nagencywide program to secure the information and information systems that\nsupport the operations of the agency, including those provided or managed by\nanother agency, contractor, or other source. FISMA also requires each agency to\nreport annually to OMB, Congress, and the Government Accountability Office on\nthe effectiveness of its information security policies, procedures and practices. In\nsupport of and reinforcing this legislation, OMB, through Circular A-130,\nAppendix III, Security of Federal Automated Information Resources, requires\nexecutive agencies within the Federal Government to plan for security, ensure\nthat appropriate officials are assigned security responsibility, periodically review\nthe security controls in their information systems, and authorize system\nprocessing prior to operations and periodically thereafter.\n\nDOT tracks its 445 information systems by 13 components. Exhibit B lists the 13\ncomponents and their respective number of systems. For purposes of reporting\nunder FISMA, we consider "operating administrations" to include all 13\ncomponents.\n\nSince 2001, we have reported on weaknesses in DOT\'s information security\nprogram and practices. Our three most recent reports noted the following.\n\n\xe2\x80\xa2 In October 2008, we reported that the Department\xe2\x80\x99s information security\n  program and practices were not effective. 7 Specifically, DOT had not\n  established adequate policies, procedures, and training to identify weaknesses\n  in information security and protect computer systems and networks, including\n  those containing personally identifiable information (PII), or recover them\n  should an incident occur. We made 27 specific recommendations to address\n  these deficiencies.\n\n\xe2\x80\xa2 In November 2009, we reported that DOT had issued its information security\n  policy\xe2\x80\x94the first step in the development of a sustainable information security\n\n6\n    White House Issues: Homeland Security (www.whitehouse.gov/issues/homeland-security).\n7\n    DOT Information Security Program, FI-2009-003, October 8, 2008.\n\x0c                                                                                                            5\n\n\n       program\xe2\x80\x94and improved the COE\'s FDCC compliance. 8 However, the\n       Department had not made sufficient progress in other areas. Its information\n       security program did not meet all Federal requirements and was not as\n       effective as it should have been. We made 27 additional recommendations to\n       correct critical vulnerabilities and assist DOT in the establishment of a more\n       mature information security program.\n\n\xe2\x80\xa2 In November 2010, we reported that the Department had successfully\n  provided security awareness training to over 90 percent of its employees, but\n  had not made sufficient progress in other critical areas. 9 The Department\'s\n  information security system was still not effective. In its assurance letter to the\n  President, the Department reported that its compliance with FISMA during\n  2010 constituted a material weakness in internal controls.\n\nFor 2011, OMB added one additional reporting area for IGs audits\xe2\x80\x94Capital\nPlanning and Investment Control\xe2\x80\x94and increased the number of metrics in the\nother 10 reporting areas. The 127 metrics for IGs\' 2011\'s review represents a\n20 percent increase over the prior year. OMB also changed the "certification and\naccreditation" reporting area to "risk management" to align with NIST\'s 800-37\nRevision 1, Guide for Applying the Risk Management Framework to Federal\nInformation Systems, dated February 2010.\n\nDESPITE IMPROVEMENTS, DOT\xe2\x80\x99S INFORMATION SECURITY\nPOLICY AND PROCEDURES REMAIN INADEQUATE\n\nAlthough it has made improvements, the Department\'s information security\npolicy and procedures are still inadequate. FISMA requires each Department\'s\nChief Information Officer to develop and maintain information security policies,\nprocedures, and control techniques to address security requirements. In prior\nreports, we recommended revisions to the Department\'s policies that direct its\nOAs\' security efforts. In June 2011, OCIO issued a strong and flexible\ncybersecurity policy for the Department. However, according to OCIO, OST\nmanagement had differing views on needed policy changes. Because agreement\nwas not reached, OST, which includes the Common Operating Environment\n(COE), is operating without cybersecurity policy. Furthermore, as stated in our\nprior three reports, the OAs have limited or no procedural guidance from OCIO to\ninstruct them on how to effectively and consistently implement information\nsecurity. Table 1 details the deficiencies in the Department\'s policy and\nprocedures.\n\n\n\n\n8\n    Audit of DOT\'s Information Security Program and Practices, OIG Report FI-2010-023, November 18, 2009.\n9\n    Timely Actions Needed to Improve DOT\'s Cybersecurity, OIG Report FI-2011-022, November 15, 2010.\n\x0c                                                                                                  6\n\n\n\nTable 1: Deficiencies in Policy and Procedures\nFISMA Security Program Area                  Office of Inspector General\'s (OIG) Evaluation\n\nCertification and Accreditation (C&A) of Controls\n\nThe assessment of security controls to       C&A procedures remain in draft form.\ndetermine if the controls have been\nimplemented effectively.\n\nContinuous Monitoring of Controls\nRequired as part of the security             Procedures are not sufficiently detailed to guide\nauthorization process to ensure that         Agency personnel in the development of practices\ncontrols remain effective over time.         for the monitoring of their systems.\n\nPlans of Action and Milestones (POA&M)\n\nTracks the measures implemented to           Revised policy references procedural guidance\ncorrect security weaknesses and eliminate    that remains in draft form.\nvulnerabilities.\n\nSecurity Awareness and Specialized Training\nAnnual training required by FISMA for        Policy does not require all Government and\nGovernment and contractor personnel.         contractor personnel\xe2\x80\x94those who use information\n                                             systems as well as those who do not\xe2\x80\x94to receive\n                                             training, and procedures are not sufficiently\n                                             developed to guide OAs in identification, tracking\n                                             and validation of contractors that require annual\n                                             security training.\nCapital Planning and Investment Control\n\nPolicy and procedures that ensure that       The policy and procedures for management of\nsecurity funding is incorporated in system   security costs as part of IT capital planning are\nlife-cycles.                                 not developed.\nAccount and Identity Management\nControls for management and monitoring of The procedures are not sufficiently developed to\nnetwork accounts.                         guide OAs in establishment of controls. For\n                                          example, procedures do not fully address\n                                          conditions for group memberships, approval\n                                          processes, conditions required to grant access,\n                                          and temporary accounts, among other things.\nConfiguration Management\nPolicy and procedures that ensure that all   Does not include detailed procedural guidance for\nsystem owners have implemented               management of policy requirements. For\napproved security control baselines.         example, there is little guidance on the adoption\n                                             of hardware and software security baselines.\n\n\nContractor Oversight\n\x0c                                                                                                                          7\n\n\n\nFISMA Security Program Area                              Office of Inspector General\'s (OIG) Evaluation\nMonitoring of the effectiveness of support               Policies and procedures do not include an OMB-\nsystem security provided or managed by                   compliant definition of "contractor system."\ncontractors, or other agencies or sources.\nRemote Access\nComponents for telework and remote                       Procedures do not establish an effective\naccess, including client devices, servers,               approach to identification, monitoring, tracking\nand internal resources, should be secured                and validation of users and equipment that\nagainst known possible weaknesses,                       remotely access DOT networks and applications.\nincluding the lack of controls for physical\nsecurity, the use of unsecured networks,\nconnections between infected devices and\ninternal networks, and the availability of\ninternal resources to external hosts.\nSource: OIG Analysis\n\nThe lack of adequate Departmentwide guidance on security requirements creates\na possibility that OAs will develop internal procedures and practices that may not\ncomply with OMB or DOT\'s requirements, and has contributed to the other\nweaknesses documented in this report.\n\nDOT LACKS THE ENTERPRISE-LEVEL CONTROLS NEEDED TO\nSAFEGUARD ITS IT SYSTEMS\n\nDOT\'s Departmentwide controls\xe2\x80\x94those that must be implemented at the\nenterprise level\xe2\x80\x94are still inadequate to ensure its contractors receive the required\nsecurity training, security incidents are detected and reported, configuration\nbaselines are appropriately managed, and security costs are considered when\nplanning IT investments.\n\nDOT Cannot Accurately Track Contractors\' IT Security Training\n\nFISMA requires agencies to develop and maintain a comprehensive security\ntraining program that ensures that all computer users 10 are adequately trained in\ntheir security responsibilities before they are allowed access to agency\ninformation systems. Furthermore, both FISMA and OMB require agencies to\nprovide basic security awareness training to employees and contractors that never\naccess computer systems as well as to those who do. However, as we have\npreviously reported, the Department lacks a system that effectively tracks all\ncontractors working for the Department, and therefore cannot determine whether\nits contractors have received required training. Further, because DOT policy\nrequires its CIOs only to ensure that all users of DOT\'s information system\n\n\n10\n     Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors,\n     guests, and other collaborators or associates requiring access.\n\x0c                                                                                                                  8\n\n\nreceive training, many non-users, who frequently are contractors, do not receive\ntraining or are not accounted for.\n\nFor 2011, DOT attempted to establish a baseline number of contractor personnel\nby using a list of currently employed contractors extracted from its Personal\nIdentity and Verification Badge System. However, the Department had no way to\nconfirm that all employed contractors were included in the baseline. Moreover, in\ncontrast to FISMA and OMB policy, 11 it removed from the list contractors that\ndid not appear to have access to IT systems because of the services they provide,\nsuch as security guards and janitorial. Contractor tracking issues represent\nsignificant security risks to the Department because personnel without security\nawareness training are more likely to become victims of social engineering or\ncommit acts that compromise information security.\n\nThe Department\'s Incident Reporting Process Does Not Monitor All\nDOT Networks\n\nDOT has instituted controls to improve reporting of intrusion incidents, but does\nnot monitor all of its networks for intrusion. OMB policy requires departments to\nreport several categories of security incidents to DHS\'s U.S. Computer\nEmergency Readiness Team (US-CERT). Last year, we found that DOT\'s\nreporting process did not ensure that all of the required incidents were reported to\nUS-CERT.\n\nSince then, FAA\'s CSMC has instituted new controls that provide reasonable\nassurance that all incidents it receives from OAs get reported to US-CERT.\nHowever, CSMC does not monitor all DOT networks. For example, because\nCSMC does not monitor the United States Merchant Marine Academy\'s\n(USMMA) network, it does not receive any intrusion detection reports from the\nAcademy. Furthermore, CSMC monitors only two of the National Airspace\nSystem\'s (NAS) many systems. Because it cannot be sure that all incidents are\ndiscovered, the Department risks cyber attacks going undetected and\nunaddressed.\n\nThe Department Has Not Fully Met Configuration Standards\n\nOMB requires compliance with minimally acceptable system configuration\nrequirements for commercial software. Configurations that meet these\nrequirements provide a baseline level of security and ensure the efficient use of\nresources. However, we found deficiencies in DOT\'s compliance with FDCC\nsettings, and incomplete implementations of other configuration standards\n\n\n11\n     OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency\n     Privacy Management.\n\x0c                                                                                                                    9\n\n\nthroughout the Department. Inadequately configured software also increases\nsecurity vulnerabilities that could impact DOT\xe2\x80\x99s mission and business operations.\n\nOAs Are Not in Compliance With FDCC Requirements\n\nOMB requires agencies that have deployed certain software, such as the Windows\nXP operating system, to adopt FDCC security configurations settings. OMB also\nrequires departments to meet all NIST configuration settings in order for them to\nbe 100 percent compliant with configuration standards. We drew a statistical\nsample of 903 out of 90,169 OA computers for the OAs to scan for compliance\nwith controls; they scanned 437 systems but the other 466 were not operating or\nwere otherwise unavailable. 12 We estimate that 70 percent 13 of controls are\ncompliant with FDCC requirements, a decline of approximately 20 percentage\npoints from 2010. None of the computers tested was fully compliant with NIST\nsettings. Table 2 shows the total controls tested and passed.\n\n\nTable 2: FDCC Sample Test Results of Controls for Windows\nOperating System at OAs\n\nOA                                                                     Tested         Passed       % Passed\nFAA                                                                   119,984          74,513         62.10%\nFederal Motor Carrier Safety Administration (FMCSA)                      7,788           5,511        70.76%\n      a\nCOE                                                                    15,171          11,040         72.77%\nSurface Transportation Board (STB)                                     20,856            9,928        47.60%\nJohn A. Volpe National Transportation Systems\n                                                                       15,806          11,347         71.79%\nCenter (Volpe)\nUSMMA                                                                    8,547           5,232        61.21%\n      b\nOIG\n                       c\nDepartment Totals                                                     188,152         117,571         62.49%\nSource: OIG\na\n  The Department consolidated OAs\' network infrastructures (email, desktop\ncomputing, and local area networks) into a common IT infrastructure.\nb\n  On July 22, 2011, OIG informed us that it did not use Security Content Automation\nProtocol tools. After the conclusion of our fieldwork, OIG informed us that it did for\nFDCC.\nc\n  Totals may not add due to rounding.\n\n\n\nWe also noted the following areas in which DOT did not comply with FDCC\nrequirements.\n12\n   Scanning tools test only computers that are operating during a scan. Other routine factors can contribute to a\n   scanning tools inability to test a specific computer.\n13\n   The estimate has a margin of error of +/-11.5 percentage points at the 90% confidence level.\n\x0c                                                                                                                             10\n\n\n\n\xe2\x80\xa2 One of the Department\'s controls for the use of approved configuration\n  settings is the application of uniform approved settings at all workstations.\n  However, numerous settings that should have been identical at all\n  workstations were different. For example, FMCSA had almost 30 different\n  settings among its computers. We did not determine the cause for the\n  variations in settings, but such differences can be caused by malware or\n  viruses.\n\n\xe2\x80\xa2       OMB requires agencies to use Security Content Automation Protocol 14\n        (SCAP)-validated tools to certify that their systems comply with FDCC and\n        United States Government Configuration Baseline (USGCB) standards. Once\n        agencies have deployed these standard configurations to personnel\'s\n        computers, they are required to monitor and manage the configurations to\n        ensure they are not modified. Three OAs either had less than 100 percent\n        standard configurations deployed on their systems or did not provide\n        evidence of total deployment. For example, OIG did not use SCAP tools to\n        ensure compliance for its systems.\n\n\xe2\x80\xa2 Agencies may create deviations from control settings when it determines that\n  the settings impact operations, such as the running of legacy applications.\n  However, if an OA opts to create such deviations, the OCIO must review and\n  approve them to prevent exploitation of system weaknesses that the deviations\n  may create. OCIO had not approved the majority of deviations for\n  noncompliant settings noted in SCAP scan testing. COE and OIG requested\n  and received approvals for some of their deviations, but other OAs did not\n  submit requests to OCIO for approvals.\n\n\nOAs\' Configuration Management Procedures Do Not Comply with NIST\nand DOT Policy\n\nSix OAs\xe2\x80\x93\xe2\x80\x93OIG, FMCSA, OST (COE), Research and Innovative Technology\nAdministration (RITA) (Volpe), Maritime Administration (MARAD) (USMMA)\nand FAA\xe2\x80\x93have security configuration management procedures that do not\nconform to NIST and DOT\'s policies because they have not implemented\nstandard baseline configurations for all of the hardware and software they use.\nOAs must also perform scanning to verify that their system configurations are\ncorrect and that they have applied all security patches. OIG, USMMA and an\nFAA line of business (LoB) did not have sufficient controls over their software\n\n\n14\n     NIST created SCAP to work with IT communities to develop common configuration standards. As part of the\n     SCAP program, NIST-accredited laboratories test tools and submit their results to NIST. If the results are favorable,\n     NIST validates the tool.\n\x0c                                                                                                                           11\n\n\nscanning capabilities. Furthermore, USMMA and three FAA LoBs, including\nCSMC, did not have fully developed patch management processes.\n\n\n\nThe Department\'s Capital Planning and Investment Control Process\nDoes Not Adequately Address Security\n\nDOT does not adequately plan security investments as part of its capital planning.\nFISMA requires agencies to integrate IT security into their capital planning\nprocesses. OMB further requires agencies to plan for and track IT security costs\nthroughout each investment\'s life cycle. According to OST, the Department has\nno specific policies and procedures for the estimation, tracking, and reporting of\nreturns on security investments. Specifically, we found the following: 15\n\n\xe2\x80\xa2 For fiscal year 2012, OCIO reported that it will focus on the development of\n  policy, process, and use of a tool that support OAs\' security controls and in\n  funding decisions. But OCIO provided no plan for this effort.\n\n\xe2\x80\xa2 Five of 13 OAs (38 percent)\xe2\x80\x94FAA, MARAD, RITA, STB, and OST\xe2\x80\x94did\n  not provide adequate information or documentation that identified their\n  methodologies for security funding estimations and criteria for security\n  project selection.\n\n\xe2\x80\xa2 Five OAs (38 percent)\xe2\x80\x94FMCSA, Federal Railroad Administration (FRA),\n  MARAD, OIG, and Pipeline and Hazardous Materials Safety Administration\n  (PHMSA)\xe2\x80\x94did not receive the fiscal year 2011 IT security funds they\n  requested. FAA and RITA did not provide documentation that they had\n  received security funding. Furthermore, OCIO requested $30 million for\n  security, but did not receive any. OCIO did not provide a plan for the\n  reprioritization of expenditures as a result of this funding issue.\n\nTHE DEPARTMENT\'S SYSTEM-LEVEL CONTROLS ARE NOT\nSUFFICIENT TO KEEP SYSTEMS SECURE OR ENSURE\nRECOVERY\n\nThe Department\'s system-level controls are insufficient to protect the security of\ninformation systems and ensure that the systems can be recovered should a\nserious breach occur. We found deficiencies in C&A and contingency plan\ntesting, continuous monitoring, oversight of contractor-operated systems, and\ncontrols over remote access and account and identity management.\n\n15\n     We will provide further detail on these findings in our upcoming report on the Department\'s enterprise architecture\n     program. We will also provide related recommendations in that report.\n\x0c                                                                                                                  12\n\n\n\nC&A and Contingency Plan Testing Are Incomplete\n\nAs of October 7, 2011, eight systems were unaccredited, meaning they were not\nauthorized to operate (see Table 3). OMB Circular A-130, Appendix III,\n"Security of Federal Automated Information Resources," requires systems to be\nreauthorized\xe2\x80\x94or reaccredited\xe2\x80\x94at least once every 3 years through a C&A\nprocess. Certification of a system requires assessing risk, planning security,\ntesting of minimum security controls, creating plans of actions for identified\nweaknesses, and mitigating risks. The 8 unaccredited systems represent a notable\nimprovement over last year when we found 41 systems that were unaccredited.\nThis improvement was brought about by MARAD\'s successful identification and\naccreditation of its systems.\n\nTable 3: Summary of Systems with Expired C&A\n\n                                                                                      Expiration          Total\nOA                  System Name\n                                                                                           Date        Systems\nFMCSA               FMCSA Service Centers                                               6/11/2010            1\n\nOST                 Correspondence Control Management System                          10/31/2010             1\nRITA                RITA- Web                                                           5/31/2010\n\n                    RITA- Mission Support                                               7/30/2009\n\n                    RITA- TSI Infrastructure                                            1/02/2010\n\n                    RITA-Transtats                                                      5/16/2011\n\n                    RITA-Everbridge Mass Notification System                            7/22/2011            5\n\nSTB                 Case Management System                                              11/6/2010            1\n\nTotal DOT Systems with Expired C&As                                                                          8\nSource: CSAM\n\nBased on our sample of 64 systems, we estimate that 403 of 445 systems, or\n91 percent, had complete C&A documentation. 16 However, 239 or 54 percent, did\nnot have adequate security control testing, 17 while only 179, or 40 percent, had\nboth complete C&A documentation and adequate security control testing. 18 See\nTable 4 for details of our results.\n\n\n\n\n16\n   Our estimate has a margin of error of +/-22 or 5.0 percent at the 90 percent level of confidence.\n17\n   Our estimate has a margin of error of +/-40 or 9.1 percent at the 90 percent level of confidence.\n18\n   Our estimate has a margin of error of +/-40 or 9.1 percent at the 90 percent level of confidence.\n\x0c                                                                                              13\n\n\n\nTable 4: Review of 64 Sample Systems\' C&A and\nContingency Plans\n\nOA                                       Systems       Systems Systems with       Systems\n                                           tested           with inadequate         without\n                                                       deficient     control   contingency\n                                                    or no C&As       testing          plans\nCOE                                            2             0            0              0\nFAA                                           33             2           21              0\nFederal Highway Administration (FHWA)          3             0            2              0\nFMCSA                                          3             0            1              1\nFRA                                            2             0            0              0\nFederal Transit Administration (FTA)           2             0            0              0\nMARAD                                          4             1            4              1\nNational Highway Transportation Safety\n                                               2             2            0              1\nAdministration (NHTSA)\nOIG                                            2             0            1              0\nOST                                            4             0            0              0\nPHMSA                                          2             0            1              2\nRITA                                           2             1            0              0\nSaint Lawrence Seaway Development\n                                               1             0            0              1\nCorporation (SLSDC)\nSTB                                            2             0            2              2\nTotal                                         64             6           32              8\nSource: OIG Analysis\n\nDOT also lacks an effective plan for recovery of its IT systems in the event of a\ndisaster or other disruptions, as required by NIST and OMB. Agencies must also\nperiodically test their contingency plans to ensure they will actually work if\nneeded. Of the sample 64 systems, 36, or 56 percent, had missing or inadequate\ncontingency plans or tests (see Table 4).These included the following:\n\n\xe2\x80\xa2 Untested contingency plans\n\xe2\x80\xa2 Unsuccessful disaster recovery exercises\n\xe2\x80\xa2 No contingency plan training for personnel\n\xe2\x80\xa2 No contingency plan testing approaches\n\xe2\x80\xa2 Inadequate process for data backup\n\xe2\x80\xa2 40 percent of critical systems had either no alternative processing site or an\n  alternative processing site that was exposed to same risks as primary site\n\xe2\x80\xa2 Tabletop instead of functional exercises performed for critical systems\n\nWithout proper C&A and contingency planning, the Department\'s systems are not\nproperly assessed for risk and independently tested. Consequently, system\n\x0c                                                                                                               14\n\n\nweaknesses may not be identified and sufficiently mitigated. Furthermore,\nwithout complete contingency testing, systems may not be recoverable from an\nunplanned shutdown in time to minimize business disruption.\n\nThe Department\'s Continuous Monitoring of Security Controls Is\nIneffective\n\nIn June 2011, the Department issued policy on continuous monitoring but has yet\nto develop guidance or issue an approved Departmentwide strategic plan.\nNHTSA, FRA and FTA have developed internal guidance; however, most OAs\nare not complying with existing OMB guidance. For example:\n\n\xe2\x80\xa2 7 of 13 (54 percent) OAs did not conduct ongoing assessments of security\n  controls;\n\xe2\x80\xa2 11 of 13 (85 percent) OAs did not have a continuous monitoring strategy; and\n\xe2\x80\xa2 10 of 13 (77 percent) OAs did not have any continuous monitoring\n  procedures.\n\nThe Department\'s lack of guidance on continuous monitoring of security controls\nlimits OAs\' abilities to monitor their systems\' security. It also diminishes their\nability to respond quickly to new threats, and affects how well the Department\nimplements security solutions in its highly dynamic environment.\n\nThe Department Does Not Identify Its Contractor-Operated Systems\nin Accordance with OMB Guidance\n\nOMB requires agencies to establish and maintain oversight programs, including\ninventories, for systems operated by contractors or other entities. 19 However, the\nDepartment\'s methods for identifying contractor-operated systems do not comply\nwith OMB\'s requirements. As detailed in Table 5, DOT reports a decline in\ninventory of contractor systems from 33 in fiscal year 2010 to 19 in fiscal year\n2011. Of the 64 sample systems, DOT had designated 2 as contractor systems.\nHowever, we determined that 26 of the 64 systems, including COE, met OMB\'s\ncriteria for contractor systems. Consequently, DOT is underreporting contractor\nsystems.\n\n\n\n\n19\n     OMB defines "contractor system" as any system fully or partially provided or managed by another agency,\n     contractor, or other source.\n\x0c                                                                                     15\n\n\nTable 5: Fiscal Years 2009 Through 2011Comparison of\nContractor Systems\n\n                                Fiscal Year\nOA                       2009         2010       2011\nFAA                        10           13          8\n\nFHWA                        1             0         0\nFMCSA                       3             4         2\nFRA                         6             6         0\nFTA                         5             0         0\nNHSTA                       2             2         3\nOST                        14             4         3\nPHMSA                       3             3         2\nRITA                        2             1         1\n\nTotal                      46           33         19\nSource: CSAM\n\n\nDOT\'s incorrect classification of systems resulted from OCIO\'s instructions to\nclassify as contractor systems only those that are both owned and operated by\ncontractors. Contractor systems represent higher risk to the Department because it\nfrequently does not manage security controls in such systems. Without an\naccurate inventory of these systems, the Department cannot know which systems\npose these higher risks.\n\nThe Department\'s Controls over Remote Access Remain\nDeficient\n\nThe Department\'s remote access controls still do not meet Department and NIST\npolicies and guidance on the control of remote system access. For example:\n\n\xe2\x80\xa2 COE, Volpe, FMCSA, and FAA have not developed procedures that fully\n  comply with NIST guidance for authorizing, monitoring and controlling\n  remote access.\n\xe2\x80\xa2 COE, STB and Volpe require Government and contractor personnel to have\n  only identifications and passwords for remote access to applications. With the\n  exception of FAA and STB, OAs rely on COE for remote access. However,\n  COE\'s remote access capability does not require multi-factor authentication.\n  There is no multi-factor authentication implemented within DOT, with the\n  exception of certain FAA LoBs.\n\x0c                                                                                                                   16\n\n\n\xe2\x80\xa2 MARAD, FMCSA, STB and RITA did not identify all remote devices.\n\xe2\x80\xa2 FAA, FMCSA, and STB\'s remote devices and computers are not properly\n  secured and monitored. COE informed us that it needs additional resources to\n  ensure that all remote devices are properly secured and monitored.\n\nWithout effective controls over remote access, DOT cannot ensure that only\nauthorized computers and personnel access its information systems, and risks the\ndeployment of malware on its networks or loss of sensitive information.\n\nThe Department\'s Account and Identity Management Are Inadequate\n\nWe reviewed the 3 of DOT\'s 19 general support systems for disabled accounts, 20\nand found that the Department\'s account and identity management controls are\ndeficient in several areas, including issuance of accounts, disabling of accounts,\ndistinguishing of user accounts from non-user accounts, deployment of personal\nidentity verification (PIV) cards, and use of dual accounts for administrators. In\nMay 2009, OCIO issued Departmentwide policies to implement security controls\nfor account management, and user identification and authentication. These\npolicies state that OAs and their LoBs are responsible for implementing the\nrequirements, and that Chief Information Security Officer should validate\ncompliance with the procedures.\n\nNetwork Accounts Are Not Properly Issued to Users\n\nThree FAA LoB networks had accounts that were not properly issued. For\nexample:\n\n\xe2\x80\xa2 Two LoBs had instances where unauthorized staff submitted and approved\n  requests to create accounts for new users;\n\xe2\x80\xa2 Two LoBs did not sufficiently separate among different staff the duties for\n  creation, modification and disabling of accounts; and\n\xe2\x80\xa2 One LoB did not always verify the authority of account requestors and\n  approvers to create accounts.\n\nWe also found instances in which employees had unauthorized membership in\nnetwork groups. Network account groups assign the same access rights to all\nmembers to simplify administration. Employees with unauthorized membership\nwill acquire the group\'s access rights. We also found one LoB that could not\ndetermine whether certain users had group memberships. These improper account\ncreation and privilege assignment processes increase the risk that users may gain\nunauthorized or excessive access to network functions.\n\n\n20\n     These three general support systems are FAA networks that have approximately 58,000 or 75% of the estimated\n     77,000 DOT active user accounts.\n\x0c                                                                                                                              17\n\n\nNetwork Administrators Do Not Disable Accounts in a Timely Manner\n\nUser accounts in Department systems had not been disabled after lengthy periods\nof inactivity. DOT\'s policy states that information systems should disable user\nidentifiers after 30 days of inactivity for high-impact systems 21 and 60 days for\nmoderate-impact systems. 22 Table 6 details the 5760 accounts, all of them high\nand moderate impact, that were not disabled in a timely manner. We also\ndiscovered active accounts whose users were deceased or retired.\n\nTable 6: Accounts Not Disabled in a Timely Manner\n\nSystem Name                                    Disabling Period                 System Category                  User\n                                           >30 days          > 60 days        High         Moderate          Accounts\n\nAVS-INF (Internal)                              \xef\x83\xbc                               \xef\x83\xbc                                    356\nAVS-INF (External)                              \xef\x83\xbc                               \xef\x83\xbc                                  2,110\nCOE                                             \xef\x83\xbc                               \xef\x83\xbc                                  1,048\nCSMC IDPS                                                         \xef\x83\xbc                              \xef\x83\xbc                       5\nFAA/ATO LAN                                                       \xef\x83\xbc                              \xef\x83\xbc                 1,173\n            a\nFAA/ARC                                                           \xef\x83\xbc                              \xef\x83\xbc                   144\nFAA/ARP LAN                                                       \xef\x83\xbc                              \xef\x83\xbc                   100\nFAA/ASH HQ LAN                                                    \xef\x83\xbc                              \xef\x83\xbc                     62\nFAA AST LAN                                                       \xef\x83\xbc                              \xef\x83\xbc                     14\nFMCSA Service Centers                                             \xef\x83\xbc                              \xef\x83\xbc                     36\nUSMMA LAN                                                         \xef\x83\xbc                              \xef\x83\xbc                   644\nOIG Infrastructure                                                \xef\x83\xbc                              \xef\x83\xbc                     45\nSTB LAN                                                           \xef\x83\xbc                              \xef\x83\xbc                     23\nSource: OIG\nNote: We were unable to extract data from Volpe LAN and IRMS due to missing information in\nthe network directory.\na\n  Includes ARC LANS, AML LAN, RTF LAN, AWA & Hangar 6, CMEL, MMAC File and\nPrint\n\n\nThe disabling of accounts in an untimely manner may lead to unauthorized access\nto information and systems by individuals who no longer have authorized access.\n\n\n\n\n21\n   "Impact" refers to the impact that the loss of a system\'s confidentiality, integrity, or availability can be expected to\n   have on organizational operations, assets, or individuals. "High impact" would have a severely adverse effect.\n22\n   DOT CIOP 1351.15, issued May 2009, outlines the disabling period for user identifiers according to impact level.\n   DOT CIOP 1351.37, issued July 2011, requires user identifiers be disabled after 60 days of inactivity. During our\n   review, we followed the criteria established in DOT CIOP 1351.15, which was in effect at the time.\n\x0c                                                                                    18\n\n\nNetwork Administrators Do Not Properly Distinguish Account Types\n\nNIST requires agencies to segregate account types\xe2\x80\x94individual, group, system,\napplication, guest/anonymous, or temporary\xe2\x80\x94and to distinguish account types\nbetween user and non-users. However, the three FAA networks that we tested did\nnot comply with these requirements because the administrators of these networks\ndid not follow DOT\'s naming standards when they established the accounts.\nWithout accurate identification of user and non-user accounts, the Department\ncannot properly control access to its information systems. Table 7 provides\nexamples of incorrect account names among these three networks.\n\nTable 7: Summary of Account Naming Errors\n\nNetwork       Type of Account        Erroneous Account      Correct Account\n                                     Name                   Name or Format\nFAA AVS       Service                ricoh                  sa-ricoh\n\n              Test                   ASI1                   T_AS I1\n\n              Service Account for    RJE-AFS700             sa_RJE-AFS700\n              AFS700 RJE Printer\n\nFAA ATO       Service                ame530-backup-svc      SRVC-ame530-backup\n\n              Undetermined           AMA100X2               Undetermined\n\nFAA ARC       Undetermined           Archibus1              Undetermined\n\n\nSource: OIG\n\n\n\nFAA Has Not Completed Deployment of Multifactor Authentication for\nLocal Access to Networks\n\nWhile FAA LoBs use tokens for multifactor authentication for remote access to\nnetworks, they have not implemented multifactor authentication for local access.\nFAA is implementing PIV cards as its two-factor authentication for local access,\nand is scheduled to complete the process by January 2012. However, one of the\nsystems we reviewed did not have a PIV implementation plan for logical access,\nincluding log-on access. Furthermore, FAA is not scheduled to fully implement\nthe use of PIV cards for physical access to systems, such as access to buildings,\nuntil December 2014.\n\nBecause multifactor authentication has not been fully implemented, DOT cannot\nsufficiently identify and authenticate authorized users. Individuals who are not\nproperly authenticated may be able to share user identification and passwords.\n\x0c                                                                                                                  19\n\n\nLack of full deployment of PIV cards for physical access increases the risk of\nauthorized access to secured facilities.\n\nNot All Network Administrators Have Dual Accounts\n\nNone of the three FAA LoBs we reviewed had implemented dual accounts for all\nadministrators. NIST guidance requires agencies to separate duties through\nassigned system access authorizations including different accounts for different\nroles. For example, a system administrator who has an email account on the\nnetwork he or she administers should have an administrator account and a user\naccount. This individual would use only the user account to access email.\nBecause administrator accounts have greater access to computer resources, the\nuse of such accounts to perform non-administrator functions increases the\nlikelihood that malware such as viruses will infect DOT networks.\n\nDOT CONTINUES TO LACK AN EFFECTIVE PROCESS FOR THE\nREMEDIATION OF SECURITY VULNERABILITIES\n\nThe Department\'s remediation of security weaknesses remains ineffective due to\nweaknesses in oversight and an incomplete POA&M database. FISMA requires a\nprocess for the planning, implementation, evaluation, and documentation of\nactions that address information security weaknesses. OMB policy requires\ndepartments to develop POA&Ms for detected system weaknesses and prioritize\nremediation of the POA&Ms\' based on the severity of the weaknesses, which\nDOT designates as high, medium or low. To facilitate weakness remediation,\ndepartments must centrally track all POA&Ms. DOT uses CSAM for this\npurpose. To evaluate its performance in POA&M management, DOT developed\nIT Vital Signs, a module that places reports on the Department\'s intranet and\nincludes a coding system indicating management\'s remediation success. 23 While\nIT Vital Signs represents progress, it may not be accurate. For example, DOT\'s\ncurrent report indicates that the Department\'s status across all OAs is average,\nwith all OAs having acceptable, or above average, performance. However, 34\npercent, or 1,565 of 4,668 open POA&Ms passed their due dates for resolution,\nincluding 374 that are over a year overdue, and 88 that have no target completion\ndates (see Table 8). The 34 percent overdue represents a 9 percentage point\nincrease over the prior year.\n\n\n\n\n23\n     OCIO developed formulas to extract information from CSAM to generate IT Vital Signs\' assessment of DOT and\n     OA management\'s POA&M performance.\n\x0c                                                                                            20\n\n\n\nTable 8: DOT\'s Open POA&Ms and Days Overdue\n\nOA and                          Days Overdue                 Summary of Timeliness Issues\nNumber of\n                                             121 -           No Due  Total  To Become\nOpen POA&Ms\n                 1 - 60   61 - 90 91 - 120    365    > 365    Date  Overdue  Overdue\n COE      15      0         0         3         2     0        0        5         10\n OCIO     111     10        0         7         9    46        10       82        29\n FAA     3,891   215       17        53        689   263       22     12 5 9     26 3 2\nFHWA      108     0         0         0         0     0        0        0         10 8\nFMCSA      1      0         0         0         0     0        1        1          0\n FRA      62      35        0         0         0     0        1        36        26\n\n FTA      66      1         0         0         1     1        2        5         61\n\nMARAD     127     5         1         2         0     0        10       18        10 9\nNHTSA      3      0         0         0         0     0        0        0          3\n OIG      29      12        3         1         5     8        0        29         0\n OST      100     13        1         1         8     1        0        24        76\nPHMSA     16      0         0         0         1     0        9        10         6\n RITA     29      0         0         0         8     3        18       29         0\nSLSDC      4      0         0         0         0     0        0        0          4\n STB      106     0         0         0         0    52        15       67        39\n Total   4,668   291       22        67        723   374       88     15 6 5     31 0 3\n\n\n\nSource: DOT Open POA&Ms in Cyber Security Assessment and Management (CSAM) system\nas of August 9, 2011\n\n\nDOT has changed its remediation time requirements twice during the past 2 years\n(see Table 9). The timeframes in place during our review were flawed because\nthey are shorter for low priority weaknesses than high priority. DOT recognizes\nthis flaw needs to be corrected, but has yet to issue its final revised timeframes.\n\x0c                                                                                         21\n\n\n\nTable 9: Changes to Time Requirements for Remediation\n\nPOA&M          DOT Order 1351.6       DOT Order 1351.30          DOT Order 1351.37\n                                                                                  a\nPriority                                                         Draft Procedures\nHigh           Remediate within 24    Develop a remediation plan Remediate within 30\n               hours                  within 90 working days     working days\nModerate       Remediate within 20    Remediate within 90        Remediate within 90\n               working days           working days               working days\nLow            Remediate within 60    Remediate within 30        No remediation period\n               working days           working days               specified\nSource: OIG\na\n  DOT Security Assessment and Authorization Guide, dated July 2010 (DRAFT)\n\nIn addition, OAs did not record all known weaknesses in CSAM. For example,\nwe detected over 3000 weaknesses in our 64 sample systems for which we could\nnot locate a POA&M in CSAM or other documentation in the C&As. We also\nfound that 32 systems had incomplete testing of minimum security controls, and\nconsequently, may have unidentified weaknesses.\n\nWithout an adequate POA&M remediation process, the Department cannot\nensure that its systems are adequately secured and protected. Weaknesses that are\nunaccounted for, unresolved or unmitigated for extended periods of time create\nthe risk of exploitation that may compromise systems\' availability and data\nintegrity.\n\nCONCLUSION\n\nThe Department\'s ability to safeguard its IT systems from hackers and other\nunauthorized users depends on its ability to implement and maintain adequate\nsecurity controls as prescribed by OMB and NIST, while keeping its networks\navailable to legitimate users. As technology progresses, so do the risks involved\nin its use and the need to maintain a state-of-the-art cybersecurity program that\ncan respond quickly and effectively to any threat. Until DOT takes action to\nfollow requirements and address its persistent cybersecurity weaknesses it will\ncontinue to expose its IT systems to these risks.\n\nRECOMMENDATIONS\n\nTo help the Department address the challenges in developing a mature and\neffective information security program, we recommend that the Chief Information\nOfficer take the following actions in addition to closing recommendations we\nhave previously made:\n\x0c                                                                                    22\n\n\nInformation Security Policy\n\n1. Address these policy and procedural weaknesses:\n\n   o Issue information security policy for OST.\n   o Enhance existing policy to address security awareness training for non-\n     computer users, address security costs as part of capital planning, correct\n     the definition of "government system", and address the identification,\n     monitoring, tracking and validation of users and equipment that remotely\n     access DOT networks and applications.\n   o In conjunction with the OA CIOs, execute a strategy to ensure that\n     sufficient procedural guidance exists for DOT and the OAs.\n\nEnterprise-Level Weaknesses\n\n2. In conjunction with OA CIOs, establish incident monitoring and detection\n   capabilities to include all of the Department\'s systems and facilitate central\n   and real-time reporting.\n\nInformation System Security\n\n3. In conjunction with OA CIOs, create, complete or test contingency plans for\n   deficient systems.\n4. In conjunction with OA CIOs, verify that backup media are properly secured\n   and regularly tested.\n5. In conjunction with OA CIOs, verify that minimum security controls are\n   adequately tested for deficient systems.\n\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nA draft of this report was provided to the Department\xe2\x80\x99s CIO on October 24, 2011.\nOn November 9, 2011, we received the Department CIO\xe2\x80\x99s response, which can\nbe found in its entirety in the Appendix.\n\x0c                                                                                      23\n\n\nACTIONS REQUIRED\n\nIn accordance with Department of Transportation Order 8000.1C, we would\nappreciate receiving your detailed action plans and target dates for the\nrecommendations in this report within 30 calendar days. We will review the Chief\nInformation Officer\xe2\x80\x99s detailed action plans when provided to determine whether\nthey satisfy the intent of our recommendations. All corrections are subject to\nfollow-up provisions in DOT Order 8000.1.C. We appreciate the courtesies and\ncooperation of the CIO Office and the Operating Administrations\xe2\x80\x99 representatives\nduring this audit. If you have any questions concerning this report, please call me\nat (202) 366-1959; Lou E. Dixon, Principal Assistant Inspector General for\nAuditing and Evaluation, at (202) 366-1427; or Louis C. King, Assistant\nInspector General for Financial and Information Technology Audits, at\n(202) 366-1407.\n\n\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    CIO Council Members\n    Martin Gertel, M-1\n\x0c                                                                                       24\n\n\nEXHIBIT A. Scope and Methodology\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires us\nto perform an independent evaluation to determine the effectiveness of the\nDepartment\xe2\x80\x99s information security program and practices. FISMA further requires\nthat our evaluation include testing of a representative subset of systems and an\nassessment, based on our testing, of the Department\xe2\x80\x99s compliance with FISMA\nand applicable requirements. On September 14, 2011, the Office of Management\nand Budget (OMB) issued M-11-33, FY 2011, Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management,\nwhich provides instructions to Inspectors General for the completion of their\nFISMA evaluations and the required OMB template.\n\nTo meet FISMA and OMB requirements, we selected a representative subset of 64\nof 445 departmental systems (see Table 10) and reviewed the compliance of these\nsystems with NIST and OMB requirements in the following areas: risk\ncategorization; security plans; annual control testing; contingency planning;\ncertification and accreditation; incident handling; and plans of actions and\nmilestones. In order to gain greater insight into information security at the OA\nlevel, we doubled our sample size from the 30 used in the prior year. To evaluate\nFDCC compliance within the Department, we selected a stratified sample of 903\nout of 90,169 devices to be scanned for compliance. We created a script to extract\nthe test results of FDCC controls from 437 out of 903 devices that were available\nfor scanning.\n\nFor account and identity management, we reviewed 3 of the largest of DOT\'s 19\ngeneral support systems. These three systems are FAA networks that comprise 75\npercent or 58,000 of DOT\'s active user accounts. We also conducted testing to\nassess the Department\xe2\x80\x99s inventory, its overall process for resolution of information\nsecurity weaknesses, configuration management, incident reporting, security-\nawareness training, remote access, and account and identity management. Our\ntests included analysis of data contained in the Department\xe2\x80\x99s CSAM system,\nreviews of supporting documentation, and interviews with departmental officials.\n\n\nTable 10: OIG\xe2\x80\x99s Representative Subset of DOT Systems, by OA\n\nNo.   System                                                  Impact     Contractor\n                                                              Level      System? b\nFederal Aviation Administration\n1     Business Communications System                          Moderate       No\n2     Common Operating Environment                            High           Yes\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                              25\n\n\nNo.   System                                                          Impact     Contractor\n                                                                      Level      System? b\n3     ATO Network                                                     Moderate      No\n4     Interim Voice Switch Replacement System                         Moderate      Yes\n5     Investment Management Tool                                      Moderate      Yes\n6     Air Route Traffic Control Center Critical and Essential Power   Low           No\n      System Power Monitoring System\n7     Aeronautical Mobile Communications System                       Moderate      Yes\n8     AVS Registry System                                             High          No\n9     Backfill and Overtime System                                    Moderate      Yes\n10    Simulator Inventory and Evaluation Scheduling System            Moderate      No\n11    Capability and Architecture Tool Suite                          Low           Yes\n12    Runway Safety Tracking System                                   Low           Yes\n13    Automated Desktop Support                                       Low           No\n14    Low-Level Windshear Alert System                                Moderate      No\n15    Regulatory Guidance Library                                     High          No\n16    Quality Management Information Technology System                Moderate      No\n17    Flight Data Input/Output                                        Low           Yes\n18    Host Interface Device / National Airspace System Local Area     Moderate      No\n      Network\n19    Multi-System Access Tool - Airman & Aircraft                    Moderate      No\n20    Weather System Processor                                        Moderate      No\n21    Information Resource Management System                          Low           No\n22    Enterprise Services Center Business Systems                     Moderate      No\n23    WJHTC Enterprise Data Center                                    Moderate      No\n24    Performance Data Analysis and Reporting System                  Moderate      Yes\n25    Corporate Work Plan                                             Moderate      No\n26    Automated Weather Observation System Data Acquisition           Low           No\n      System\n27    Terminal Doppler Weather Radar                                  Moderate      No\n28    System Architect                                                Low           No\n29    Project Document Library                                        Moderate      No\n30    Remote Maintenance Monitoring System                            Moderate      No\n31    Office of Aviation Safety Infrastructure                        High          No\n32    Risk Based Resource Targeting                                   Moderate      Yes\n33    AVS Electronic Form Service                                     Moderate      No\n34    Cost Accounting System                                          Moderate      No\n35    Advanced Qualification Program                                  Low           Yes\nFederal Highway Administration\n36    Course Management and Training System                           Moderate      Yes\n37    Motor Fuels and Finance Analysis System                         Low           Yes\n38    National Bridge Inventory System                                Moderate      Yes\n\nExhibit A. Scope and Methodology\n\x0c                                                                                              26\n\n\n    No.   System                                                      Impact     Contractor\n                                                                      Level      System? b\n    Federal Motor Carrier Safety Administration\n    39    Analysis and Information                                    Moderate      No\n    40    Licensing and Insurance                                     Moderate      No\n    41    National Registry of Certified Medical Examiners Web Site   Low           Yes\n    Federal Railroad Administration\n    42    CAB Technology Integration Laboratory                       Low           No\n    43    Railroad Credit Risk Assessment System                      Low           Yes\n    44    Financial Management System                                 Moderate      Yes\n    Federal Transit Administration\n    45    FTA Inter/Intranet                                          Moderate      Yes\n    Maritime Administration\n    46    USMMA LAN                                                   Moderate      Yes\n    47    USMMA Student Information System                            Moderate      Yes\n                                                                           c\n    48    Port of Anchorage                                           NC            Yes\n    49    Mariner Outreach System                                     Moderate      Yes\n    National Highway Transportation Safety Administration\n    50    Support Delivery Services Low Impact System                 Low           No\n    51    Mgmt Gov\'t Resource Low Impact System                       Low           Yes\n    Office of Inspector General\n    52    US DOT/OIG Infrastructure                                   Moderate      No\n    53    US DOT/OIG TIGR System                                      Moderate      No\n    Office of the Secretary of Transportation\n    54    Parking and Benefit Transit System                          Moderate      Yes\n    55    Grants Information System                                   Low           Yes\n    56    Rulemaking Management System                                Moderate      Yes\n    57    Delphi                                                      Moderate      No\n    Pipelines and Hazardous Materials Safety Administration\n    58    Hazmat Intelligence Portal                                  Moderate      Yes\n    59    FEDStar                                                     Low           No\n    Research and Innovative Technology Administration\n    60    RITA Web                                                    Moderate      No\n                                                                           c\n    61    External SharePoint                                         NC            No\n    SLSDC\n    62    Financial Management System                                 Low           No\n    STB\n    63    Case Management System                                      Moderate      No\n    64    Local Area Network                                          Moderate      No\n    Source: OIG\na\n    See Exhibit B for full Operating Administration names.\n\n\n    Exhibit A. Scope and Methodology\n\x0c                                                                                          27\n\nb\n    DOT Cyber security Definition of Contractor System\nc\n    Not Categorized\n\n    As required, we submitted to OMB qualitative assessments pertaining to DOT\xe2\x80\x99s\n    information security program and practices. OMB requires that our FISMA\n    submission include information from all OAs, including OIG. In addition to the\n    preparation of our submission, we reviewed the Department\xe2\x80\x99s progress in\n    resolution of weaknesses and implementation of recommendations identified in\n    our prior FISMA reports.\n\n    We performed our information security review work between February 2011 and\n    October 2011. We conducted our work at departmental and OA Headquarters\'\n    offices in the Washington, D.C., area as well as regional offices in Oklahoma City,\n    Melbourne, Florida, and King\'s Point, New York. We conducted our audit in\n    accordance with generally accepted Government auditing standards. Those\n    standards require that we plan and perform the audit to obtain sufficient,\n    appropriate evidence to provide a reasonable basis for our findings and\n    conclusions based on our audit objectives. We believe that the evidence obtained\n    provides a reasonable basis for our findings and conclusions based on our audit\n    objectives.\n\n    Previous audit reports on the Department\xe2\x80\x99s information security program issued in\n    response to FISMA\'s mandate include the following:\n\n    \xe2\x80\xa2 Timely Actions Needed to Improve DOT\'s Cybersecurity, FI-2011-022,\n      November 15, 2010\n\n    \xe2\x80\xa2 Audit of DOT\'s Information Security Program and Practices, FI-2010-023,\n      November 18, 2009\n    \xe2\x80\xa2 DOT Information Security Program, FI-2009-003, October 8, 2008\n    \xe2\x80\xa2 DOT Information Security Program, FI-2008-001, October 10, 2007\n    \xe2\x80\xa2 DOT Information Security Program, FI-2007-002, October 23, 2006\n\n    \xe2\x80\xa2 DOT Information Security Program, FI-2006-002, October 7, 2005\n    \xe2\x80\xa2 DOT Information Security Program, FI-2005-001, October 1, 2004\n    \xe2\x80\xa2 DOT Information Security Program, FI-2003-086, September 25, 2003\n\n    \xe2\x80\xa2 DOT Information Security Program, FI-2002-115, September 27, 2002\n    \xe2\x80\xa2 DOT Information Security Program, FI-2001-090, September 7, 2001\n\n    Exhibit A. Scope and Methodology\n\x0c                                                                                                       28\n\n\nEXHIBIT B. DOT OPERATING ADMINISTRATIONS AND SYSTEM\nINVENTORY COUNTS\n\nTable 11: OA System Inventory Counts for Fiscal Years 2011 and\n2010\n\n                                                                                  Fiscal Year\n                              a\nOperating Administration                                                    2011                2010\nFederal Aviation Administration                                             297                 290\nFederal Highway Administration                                               21                 22\nFederal Motor Carrier Safety Administration                                  18                 21\nFederal Railroad Administration                                              13                 13\nFederal Transit Administration                                                5                   5\nMaritime Administration                                                      25                 21\nNational Highway Traffic Safety Administration                               11                 11\nOffice of Inspector General                                                   2                   2\nOffice of the Secretary                                                      31                 33\nPipeline and Hazardous Materials Safety Administration                        5                   6\nResearch and Innovative Technology Administration                            14                 13\nSaint Lawrence Seaway Development Corporation                                 1                   1\nSurface Transportation Board                                                  2                   2\n  Total Systems                                                             445                 440\n Source: OIG, and DOT CSAM as of August 6, 2010\na\n  For purposes of reporting under FISMA, we consider "Operating Administrations" to include all\n  components listed above.\n\n\n\n\nExhibit B. DOT Operating Administrations and System Inventory\n           Counts\n\x0c                                                                                                 29\n\n\nEXHIBIT C. Status of Prior Year\xe2\x80\x99s Recommendations\n\nTable 12: OIG Recommendations for Fiscal Year 2010, and Their\nStatus\n\nNo. Status    Recommendation\n\n1   Partially Address these policy and procedural weaknesses:\n    closed    \xe2\x80\xa2 Develop procedural guidance for the C&A process. In addition, modify\n                existing certification and accreditation policy and procedures to address\n                inheritance of common information security controls, and to provide procedural\n                guidance to modes.\n              \xe2\x80\xa2 Correct POA&M policy to prioritize weaknesses in a way that ensures that\n                high priority weaknesses are resolved before medium priorities, and medium\n                ones before low ones. In addition, develop procedural guidance to ensure\n                consistency of the POA&M process and to facilitate CIO\'s oversight and\n                management of weaknesses.\n              \xe2\x80\xa2 In conjunction with the modes, develop procedural guidance for tracking and\n                training personnel with significant security responsibilities. This guidance\n                should address maintaining complete inventories of such personnel, and the\n                training needed and provided.\n              \xe2\x80\xa2 Enhance high-level policy with procedural guidance to ensure consistency of\n                the network accounts and identity management.\n              \xe2\x80\xa2 In conjunction with the Assistant Secretary for Administration, complete\n                Department-wide PIV operating procedures, including procedures to terminate\n                PIV cards.\n              \xe2\x80\xa2 Review and revise all configuration management policy and develop specific\n                details for activities that are common across the department. As part of this\n                effort, develop procedural guidance that would define requirements for OAs to\n                use when developing configuration management procedures specific to their\n                operation.\n              \xe2\x80\xa2 Develop procedural guidance that would define requirements for OAs to use\n                when developing incident handling procedures specific to their operation.\n              \xe2\x80\xa2 Enhance policy and procedural guidance to incorporate detailed guidance for\n                managing, monitoring and reporting FDCC compliance, including the use of\n                SCAP tools to ensure FDCC compliance. Once policy adequately addresses\n                contractor oversight per Recommendation 4 of last year\'s report, develop\n                relevant procedural guidance. This policy should establish the criteria and\n                guidelines for DOT\xe2\x80\x99s identification and reporting of contractor systems\n                consistent with OMB requirements\n              \xe2\x80\xa2 Enhance high-level policy with procedural guidance to ensure remote access\n                and wireless networking is authorized, managed and monitored in compliance\n                with OMB, NIST and DOT policies.\n2   Open      To the extent the OAs require their own guidance, review guidance to verify\n              compliance with department policies and procedures.\n3   Open      Implement a quality assurance process to review OA specific configuration\n              management procedures to ensure that they adhere to the departmental policy\n              and Federal requirements.\n4   Open      Implement a process to review OAs security configuration management practices\n              and software scanning capabilities. Provide monitoring of OAs practices to\n              ensure they are adhering to the policy and practices.\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                       30\n\n\nNo. Status    Recommendation\n\n5    Closed   Require OST to implement required system patches on their Delphi system.\n6    Open     Conduct scanning of all DOT networks to ensure compliance with FDCC\n              requirements. In addition, review results of modal SCAP compliance scans to\n              identify and resolve incorrect FDCC settings.\n7    Open     Require and approve deviation requests for those non-conforming settings that\n              are truly needed and for which risks have been mitigated and accepted.\n8    Open     Conduct periodic tests to assess FDCC compliance and deployment of patches,\n              including service packs.\n9    Open     Analyze the incorrect FDCC configuration settings identified in our testing, and\n              for those that do not have approved deviations, require OAs to create POA&Ms\n              to correct the settings.\n10   Open     Implement a practice to review OA specific incident handling procedures to\n              ensure that they adhere to the departmental policy.\n11   Closed   Implement a process to review reported incidents to ensure timely reporting to\n              US-CERT. In addition, provide monitoring of incidents reported to ensure all\n              required data in the tracking system(s) is up-to-date for incidents sent and data\n              received back for US-CERT.\n12   Open     Review FHWA, FMCSA, FRA, FTA and RITA automated scans confirming timely\n              resolution of vulnerabilities. If deficiency is found require OA to provide\n              corrective action and to update plan of actions and milestone to address\n              weakness.\n13   Open     Require OAs to reconcile their contractor records with DOT security department\n              and update their records accordingly. Monitor and report to the Deputy Secretary,\n              Operating Administrations\xe2\x80\x99 progress in resolving the discrepancy with their\n              contractor records and DOT security department.\n14   Open     Identify and implement automated tools to better track contractors and training\n              requirements.\n15   Closed   In conjunction with the MARAD, create a POAM for each system that is missing a\n              certification and accreditation. This POAM should be properly prioritized to\n              ensure this critical matter is immediately addressed.\n16   Closed   In conjunction with MARAD, promptly update Cyber Security Assessment and\n              Management (CSAM) system to reflect its current system inventory and related\n              information (including status of certification and accreditation).\n17   Closed   Work with MARAD to finalize agreements with C&A service providers to certify\n              MARAD systems.\n18   Open     Review the results of OA assessments to determine an accurate inventory of\n              contractor systems.\n19   Open     Work with the Department\'s acquisition personnel to develop common contract\n              language that requires IT contractors to enforce applicable FISMA and OMB\n              requirements. Once this language is approved, review all new planned IT\n              acquisitions, prior to award, to verify that this clause is contained in the statement\n              of work or comparable document.\n20   Open     Research and standardize automated tools that will proactively monitor remote\n              devices connecting to DOT networks.\n21   Open     Conduct tests of remote access solutions to ensure they comply with Federal\n              requirements and DOT guidance.\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                 31\n\n\nNo. Status    Recommendation\n\n22   Closed   In conjunction with the Assistant Secretary for Administration, develop a\n              Department-wide implementation plan that specifies resources needed,\n              responsible parties, strategies for risk mitigation, etc., to ensure that all\n              employees and contractors receive PIV cards by December 31, 2010.\n23   Open     Implement the use of PIV cards as the primary authentication mechanism to\n              support multi-factor authentication at the system and application level for all\n              DOT\'s employees and contractors.\n24   Open     Perform periodic reviews of active user accounts and network devices to identify\n              accounts that need to be disabled.\n25   Open     Work with OAs to identify and logically segregate user accounts and service\n              (role) accounts.\n26   Open     Work with OAs to implement automated mechanisms to disable inactive\n              accounts, as specified by DOT policies, and to audit account creation,\n              modification, disabling, and termination actions.\n27   Open     Educate and assist OAs in implementing dual accounts for administrators.\n              Subsequently, conduct reviews to determine that all DOT GSSs use these\n              accounts.\nSource: OIG\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                       32\n\n\n\nTable 13: OIG Recommendations for Fiscal Year 2009, and Their\nStatus\n\nNo. Status    Recommendation\n1    Closed   Revise the incident response policy to identify conditions under which incidents\n              should be reported to law enforcement (i.e., OIG), how the reporting should be\n              performed, what evidence should be collected, and how it should be collected\n2    Closed   Revise the security awareness and training policy to include the identification of\n              all users, such as employees, contractors, and others requiring access to DOT\n              information systems. Include provisions in the policy to separate these active\n              user accounts from the non-person accounts.\n3    Closed   Revise training policy to list the job functions that require specialized security\n              training and the type of specialized training that is required for those job functions\n              as described in NIST SP 800-16.\n4    Closed   Revise policy to address security of information and information systems\n              managed by contractors, including information security roles and responsibilities,\n              security control baselines and rules for departures from baseline, and rules of\n              behavior for contractors and minimum repercussions for noncompliance.\n5    Closed   Revise the interface agreement policy to incorporate necessary elements, such\n              as purpose of the interconnection, description of security controls, schematic of\n              interconnection, timelines for terminating or reauthorizing the interconnection,\n              and authority of establishing the interconnection.\n6    Closed   Revise the plan of action and milestones policy to address all the OMB\n              requirements, including description of weakness, scheduled completion date, key\n              milestones, changes to milestones, source of the weakness, and status.\n7    Closed   Ensure that the Federal Aviation Administration, Saint Lawrence Seaway\n              Development Corporation, and Pipeline and Hazardous Materials Safety\n              Administration have deployed DOT approved configuration baselines and tools to\n              assess implementation status.\n8    Open     Use automated tools to periodically verify status of completion reported by\n              Operating Administrations and identify deviations from the approved baseline\n              configurations.\n     Closed   Require Operating Administrations to manage identified deviations from approved\n9             baseline configurations by tracking and resolving significant baseline\n              configuration weaknesses in plan of actions and milestones.\n10   Closed   Work with Operating Administration Chief Information Officers to ensure that all\n              new IT contracts include the acquisition language on common security\n              configurations as required by DOT and OMB M-07-18.\n11   Closed   Work with the CSMC to develop a process to ensure that all Department of\n              Homeland Security reference numbers are received and entered into the DOT\n              tracking system for confirmation.\n12   Closed   Develop and establish a tracking system that effectively and routinely accounts\n              for all active contractors requiring security awareness training.\n13   Closed   Develop a mechanism to enforce that all employees including contractors with\n              login privileges have completed the required annual security awareness training\n              in order to gain and maintain access to Department information systems.\n14   Closed   Identify and ensure all employees with significant security responsibilities take the\n              necessary specialized security training to fulfill their responsibilities.\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                        33\n\n\nNo. Status        Recommendation\n15   Closed       Monitor, and report to the Deputy Secretary, Operating Administrations\xe2\x80\x99 progress\n                  in resolving long overdue security weaknesses, reestablishing target completion\n                  dates in accordance with departmental policy, providing cost estimation for fixing\n                  security weaknesses, prioritizing weaknesses, and recording all identified security\n                  weaknesses in plan of actions and milestones.\n16   Open         Ensure accurate information is used to monitor Operating Administrations\xe2\x80\x99\n                  progress in correcting security weaknesses.\n17   Open         Require Chief Information Security Officer and Operating Administrations conduct\n                  a review to identify all interfaces with systems external to the Department, ensure\n                  related security agreements are adequate, and track them in the Cyber Security\n                  Assessment and Management system.\n18   Closed       Ensure that Maritime Administration properly inventories its information systems\n                  and tracks them in the Cyber Security Assessment and Management system.\n                  (MARAD)\n19   Closed       Ensure that Maritime Administration certifies and accredits each system in the\n                  revised inventory. (MARAD)\n20   Open         Improve its quality assurance checks on the Operating Administrations\xe2\x80\x99\n                  certifications and accreditations by increasing the frequency and scope of its\n                  checks, communicating results and expected actions to the Operating\n                  Administrations, requiring updated plan of actions and milestones to address\n                  weaknesses noted (including those found in the Inspector General reviews), and\n                  follow-up on resolution of weaknesses noted.\n              a\n21   Closed       Require Federal Aviation Administration, Federal Highway Administration,\n                  Federal Railroad Administration, Maritime Administration, Office of the Secretary\n                  of Transportation and Pipelines and Hazardous Materials Safety Administration to\n                  conduct system contingency testing of the systems that did not have evidence\n                  that of such tests.\n22   Open         Develop a process to ensure Operating Administrations continuously monitor and\n                  test information system security controls.\n23   Closed       Finalize the inventory count for systems containing privacy information.\n24   Closed       Work with Operating Administrations to complete privacy impact assessments for\n                  applicable information systems.\n25   Closed       Work with the Federal Aviation Administration to establish a reasonable target\n                  date for the completion of the reduction of social security numbers recorded in its\n                  systems.\n              b\n26   Closed       Implement 2-factor authentication for remote access.\n27   Open         Implement NIST-approved encryption on all mobile computers/devices.\nSource: OIG\na\n  Replaced with 2011 Recommendation No. 3\nb\n  Merged into 2010 Recommendation No. 23\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                             34\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\nName                               Title\n\nLouis C. King                      Former Program Director\n\nNathan Custer                      Program Director\n\nMichael Marshlick                  Project Manager\n\nLissette Mercado                   Project Manager\n\nGerald Steere                      Computer Scientist\n\nJames Mallow                       Project Manager\n\nMartha Morrobel                    Information Technology\n                                   Specialist\n\nTracy Colligan                     Information Technology\n                                   Specialist\n\nFelicia Moore                      Information Technology\n                                   Specialist\n\nJames Mullen                       Information Technology\n                                   Specialist\n\nNileshkumar Patel                  Information Technology\n                                   Specialist\n\nJason Mott                         Information Technology\n                                   Specialist\n\nJenelle Morris                     Information Technology\n                                   Specialist\n\nLaKarla Lindsay                    Referencer\n\nPetra Swartzlander                 Statistician\n\nSusan Neill                        Writer-Editor\n\n\n\n\nExhibit D. Major Contributors to this Report\n\x0c                                                                                                             35\n\n\n           APPENDIX. MANAGEMENT COMMENTS\n\n\n\n                                                                       Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n\n\n           ACTION: Management Response to the Office of\nSubject:   Inspector General (OIG) Draft Report on Federal                            Date:\n           Information Security Management Act\n\n                                                                                      Reply To\n  From:    Nitin Pradhan                                                               Attn. of:\n           DOT Chief Information Officer\n\n\n    To:    Calvin L. Scovel III\n           Inspector General\n\n           DOT Achieved Considerable Cybersecurity Progress in 2011\n\n           During the past year, the Department made significant progress in addressing cybersecurity\n           goals and vulnerabilities by leveraging the limited available resources to implement key\n           Federal and departmental initiatives. These efforts are complicated by the fact that our\n            systems must be operational around the clock every day of the year, and any changes must be\n           completed while \xe2\x80\x9ckeeping the lights on,\xe2\x80\x9d to support the critical day-to-day operations of the\n           Department of Transportation (DOT). In addition to the OIG report\xe2\x80\x99s recognition of our\n           progress in issuing policies, implementing procedures, and providing cybersecurity\n           awareness training throughout the Department, we also made considerable progress\n           implementing focused efforts on some of the most pervasive threats to critical business\n           support operations, including:\n\n               \xe2\x80\xa2   Stabilized and Upgraded E-mail -- The DOT CIO prioritized resources to address\n                   critical issues with enterprise e-mail. Actions included increasing the storage\n                   available for replication of e-mail to an alternate site; upgrading server hardware and\n                   software; and implementing Microsoft Exchange 2010 to bolster the security and\n                   privacy of e-mail, a key Federal priority to reduce exposure to attacks such as\n                   spearphishing and permit advanced information flow controls to prevent government\n                   information from being transferred to non-government computers.\n\n               \xe2\x80\xa2   Created IT Vital Signs -- We began implementing the IT Vital Signs performance\n                   management dashboard as part of a continuous monitoring strategy to increase\n                   visibility into cybersecurity performance and compliance and to assist DOT operating\n                   administrations and other stakeholders in improving their security postures.\n\n               \xe2\x80\xa2   Established Automated Data Feeds -- The DOT CISO and staff worked with the\n                   Federal Aviation Administration (FAA), the Cyber Security Management Center\n\n\n\n\n           Appendix. Management Comments\n\x0c                                                                                                    36\n\n                                                                                                2\n\n      (CSMC) and the CIO\xe2\x80\x99s own Information Technology Shared Services (ITSS) team to\n      implement Department of Homeland Security (DHS) initiatives to improve cyber-\n      situational awareness with Automated Data Feeds. Automated data feeds, which\n      provide asset hardware and software information, assessment of vulnerabilities, status\n      of compliance with secure configuration requirements, and the status of patches\n      applied to the asset, were put in place to support the two largest technology\n      infrastructure components in the Department. Since January 2011, the Department\n       has used this important data to further improve cybersecurity. This data is providing\n      vital information to improve processes; enhance visibility across Departmental\n      networks; and develop repeatable processes for core cybersecurity program controls\n      of asset management, vulnerability assessment, configuration management, and patch\n      management.\n\n  \xe2\x80\xa2   Expanded Trusted Internet Connections (TIC) \xe2\x80\x93 In response to recommendations\n      arising from the Federal CyberStat assessment process, the Department fully\n      implemented TIC version one critical capabilities. DOT\'s internet connections are\n      protected by the DHS Einstein program and are being monitored for suspicious and\n      malicious activity by both DHS and DOT. The Department continues to progress on\n      migrating external connections to its TICs for improved security and is expected to\n      complete this work before the end of fiscal year 2012.\n\n  \xe2\x80\xa2   Established Domain Name System Security Extensions (DNSSEC) -- DOT\n      implemented DNSSEC on all of the Department\xe2\x80\x99s top level .GOV domains. This\n      change resulted in additional internet-related security through data authentication and\n      integrity verification that increases trust in DOT web sites and e-mail communications.\n\n  \xe2\x80\xa2   Implemented Personal Identity Verification (PIV) cards -- DOT made tremendous\n      progress issuing PIV cards to Federal employees throughout the Department\xe2\x80\x94a time\n      consuming, logistically complex, and costly endeavor that provides enhanced\n      capabilities for both physical and logical access.\n\n  \xe2\x80\xa2   Revamped Cybersecurity Leadership -- Senior DOT leadership enhanced the DOT\n      cybersecurity program organizational structure to stand shoulder-to-shoulder with\n      other cabinet-level Federal Departments by creating a new executive cybersecurity\n      leadership position that will be responsible for overall cybersecurity management\n      including building and maintaining Department-wide consensus and maintaining\n      progress.\n\n  \xe2\x80\xa2   Created Roadmap for Enterprise Authentication Services -- The DOT CIO prioritized\n      resources to implement an enterprise authentication service. This service will enable\n      employees to reduce the number of passwords and use DOT-issued PIV cards to access\n      applications. The Department has integrated three large systems via this employee-\n      originated initiative. We produced a roadmap for incorporating other agency systems\n      and enabling the use of the PIV card for employee login over the next two years.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                                          37\n\n\n\n\n                                                                                                      3\n\n\n    \xe2\x80\xa2    Solidified Vision for Secure Mobility Technologies -- The DOT CIO implemented a\n         plan to address the telework and mobility needs of the Department, in keeping with\n         the Department\xe2\x80\x99s Strategic Plan and goals of reduced congestion, environmental\n         stewardship, and security preparedness. The CIO\xe2\x80\x99s plan included the development of\n         security standards, policies, and procedures for ensuring the protection of agency\n         information on mobile devices; an active pilot to test the standards and policies in the\n         DOT environment; and the evaluation of technologies to improve the management\n         and security of mobile technology.\n\n    \xe2\x80\xa2    Expanded Enterprise Cybersecurity Related Governance -- DOT achieved significant\n         progress in planning and implementing governance structure and activities relating to\n         cybersecurity, including:\n\n              o    IT infrastructure modernization plan and roadmap -- The DOT common\n                   operating environment underwent extensive analysis that addressed DOT-\n                   wide infrastructure security, solution architectures, and evolving customer\n                   demands (e.g., mobility), to formulate a three-year action plan.\n\n              o    Cybersecurity Integrated Project Team (IPT) and Steering Committee --\n                   The DOT CIO established a Cybersecurity IPT composed of the DOT CISO\n                   and security personnel from Office of the Secretary (OST) and Operating\n                   Administrations (OAs) to provide focused effort on enhancing cybersecurity.\n\n              o    Cybersecurity Policy Working Group -- The DOT CISO established a\n                   cybersecurity policy working group consisting of security personnel from the\n                   OAs to focus specifically on a comprehensive update to Departmental policy\n                   and procedures.\n\n              o    Cloud Management Group -- The DOT CIO established a Departmental\n                   cloud management group to oversee and guide the agency\xe2\x80\x99s evaluation of the\n                   potential implications of expanding use of secure cloud services.\n\nAchieving Cybersecurity Progress with Focus and Accountability\n\nMaintaining and improving the security of our critical business information systems is an\nabsolute priority for the Department. My staff is in the process of closely reviewing the OIG\ndraft report and will provide a detailed plan of action, and milestones, addressing and\nprioritizing each of the OIG recommendations before the end of the calendar year. We will\nestablish priorities and recognize modal accountability in formulating plans to move forward.\n\nEstablishing Priorities for 2012\n\nResources are increasingly constrained and it is unlikely that our cybersecurity program will\nreceive the additional resources as anticipated in our earlier planning. As a result, it is neither\nrealistic nor plausible to commit to addressing all of the issues described in the OIG draft\nreport in a single year. While the issues discussed in the OIG draft report are integral to\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                                         38\n\n\n\n\n                                                                                                   4\n\n\n    FISMA objectives, it is imperative that we focus our constrained resources on the highest\n    priority actions.\n\n    At this point, we anticipate focusing our cybersecurity efforts during 2012 to improve\n    perimeter security, implement automated continuous monitoring, and move toward full\n    implementation of PIV-centric multifactor authentication as resources become available. My\n    office continues to collaborate with the various National Security staff members supporting\n    the Federal Cybersecurity Coordinator, the Office of Management and Budget, and DHS to\n    coordinate and achieve these efforts. To the extent that funding may be less than anticipated,\n    effectively prioritizing these initiatives will ensure that all available resources are focused on\n    the highest priority actions for the Department.\n\n    Maintaining Accountability Throughout the Department\n\n    While my office establishes and conveys policy through numerous channels to maintain a\n    sense of cohesive direction for the Department\xe2\x80\x99s cybersecurity efforts, in most cases,\n    implementation must occur in the Operating Administrations. In order to gain the maximum\n    benefit from limited resources and increase accountability, it would be highly constructive for\n    future OIG efforts to provide detailed information in its reports segmented by Operating\n    Administration. This would facilitate the Department\xe2\x80\x99s ability to focus its efforts and increase\n    accountability. Such reporting is consistent with the current financial audit process and would\n    reduce duplicative reporting. Many of the key actions that must be taken to improve\n    cybersecurity will depend on the coordinated and collaborative efforts of the Office of the\n    Secretary (OST) and the Operating Administrations. The DOT OCIO will support progress\n    through defining, developing, and aggressively tracking standards, policies, plans and\n    roadmaps. Further, the Operating Administrations should implement improvements based on\n    established priorities set in a collaborative environment, enumerating specific expectations,\n    and utilizing available data to create tracking metrics to ensure accountability. Further\n    enhancement of IT Vital Signs will help provide meaningful metrics to conduct departmental\n    TechStats to assess progress and establish specific metrics for accountability.\n\n    Overall, vigilance and further improvement to our cybersecurity posture is imperative to the\n    effective functioning of the Department, the larger Federal community, and our Nation\xe2\x80\x99s\n    transportation systems. We take this responsibility seriously, and we do everything possible\n    to ensure our systems are strong, resilient and managed in accordance with Federal\n    requirements.\n\n\n\n\nAppendix. Management Comments\n\x0c'